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WHAT IS CLAIMED IS: 

1 1. A system for detecting, tracking and blocking one or more 

2 denial of service attacks over a computer network, the system comprising: 

3 a collector adapted to receive a plurality of data statistics from the 

4 computer network and to process the plurality of data statistics to detect one or 

5 more data packet flow anomalies and to generate a signal representing the one or 

6 more data packet flow anomalies; and 

7 a controller coupled to the collector to receive the signal; 

8 wherein the controller is constructed and arranged to respond to the 

9 signal by tracking attributes related to the one or more data packet flow anomalies 

10 to at least one source, and wherein the controller is constructed and arranged to 

1 1 block the one or more data packet flow anomalies. 

1 2 . The system of claim 1 , wherein the collector includes a buffer 

2 coupled to the computer network and being adapted to process the plurality' of data 

3 statistics to generate at least one record. 

1 3 . The system of claim 2, wherein the collector further includes 

2 a profiler coupled to the buffer and being adapted to receive and process the record 

3 to generate a predetermined threshold. 

1 4. The system of claim 3, wherein the profiler includes means 

2 for aggregating the data statistics to obtain a traffic profile of network flows. 

1 5. The system of claim 4, wherein the data statistics are 

2 aggregated based on at least one invariant feature of the network flows. 

1 6. The system of claim 4, wherein data statistics are aggregated 

2 based on temporal, static network and dynamic routing parameters. 

1 7. The system of claim 5, wherein the at least one invariant 

2 feature includes source and destination endpoints. 
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1 8 . The system of claim 3 , wherein the collector further includes 

2 a detector coupled to the buffer and to the profiler, the collector being adapted to 

3 receive and process the record and the predetermined threshold to detect if attributes 

4 associated with the record exceed the predetermined threshold representing the one 

5 or more data packet flow anomalies. 

1 9. The system of claim 8, wherein the collector further includes 

2 a local controller coupled to the detector and to the profiler and being adapted to 

3 receive and respond to the one or more data packet flow anomalies by generating 

4 the signal representing the one or more data packet flow anomalies. 

1 10. The system of claim 9, wherein the detector includes a 

2 database for storing the at least one record, predetermined threshold, the one or 

3 more data packet flow anomalies, and related information. 

1 11. The system of claim 10, wherein the profiler includes a 

2 database for storing a plurality of data packet flow profiles and related information. 

1 12. The system of claim 1, wherein the controller includes a 

2 filtering mechanism for blocking the one or more data packet flow anomalies. 

1 13. The system of claim 12, wherein the filtering mechanism 

2 includes a plurality of filter list entries. 

1 14. The system of claim 12, wherein the filtering mechanism 

2 includes a plurality of rate limiting entries. 

1 15. The system of claim 1, wherein the controller includes a 

2 correlator coupled to the collector and being adapted to receive and normalize the 

3 plurality of signals representing the one or more data packet flow anomalies and to 

4 generate an anomaly table including the attributes related to the one or more data 

5 packet flow anomalies. 
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1 16. The system of claim 15, wherein the correlator includes a 

2 database for storing the anomaly table. 

1 17. The system of claim 16, wherein the correlator further 

2 includes an adapter that is constructed and arranged to communicate the anomaly 

3 table to a computing device for further processing. 

1 18. The system of claim 16, wherein the controller further 

2 includes: 

3 a web server; and 

4 access scripts that cooperate with the web server to enable the 

5 computing device to access the database defined on the controller to view the 

6 anomaly table. 

1 19. A system comprising: 

2 at least one routing system; 

3 a plurality of computer systems coupled to the routing system; and 

4 means for detecting one or more denial of service attacks 

5 communicated to the plurality of computer systems over the at least one routing 

6 system. 

1 20. The system of claim 19, further including a means for 

2 tracking the one or more denial of service attacks communicated to the plurality of 

3 computer systems over the at least one routing system. 

1 21. The system of claim 20, further including a means for 

2 blocking the one or more denial of service attacks communicated to the plurality of 

3 computer systems over the at least one routing system. 

1 22. The system of claim 21, wherein the means for detecting 

2 includes a means for collecting a plurality of data statistics from the at least one 

3 routing system. 



-25- 



UOM 0234 PUS 
1900.1 



1 23. The system of claim 22, wherein the means for detecting 

2 further includes a means for processing the plurality of data statistics to detect one 

3 or more data packet flow anomalies. 

1 24. The system of claim 23, wherein the means for detecting 

2 further includes a means of generating a plurality of signals representing the one or 

3 more data packet flow anomalies. 

1 25. The system of claim 24, wherein the means for tracking 

2 includes a means for receiving and responding to the plurality of signals by tracking 

3 attributes related to the one or more data packet flow anomalies to at least one 

4 source. 

1 26. The system of claim 19, further including a means for 

2 communicating the one or more denial of service attacks to a computing device for 

3 further processing. 

1 27. A method for detecting, tracking and blocking one or more 

2 denial of service attacks over a computer network, the system comprising the steps 

3 of: ; 

4 collecting a plurality of data statistics from the computer network; 

5 processing the plurality of data statistics to detect one or more data 

6 packet flow anomalies; 

7 generating a plurality of signals representing the one or more data 

8 packet flow anomalies; and 

9 receiving and responding to the plurality of signals by tracking 

10 attributes related to the one or more data packet flow anomalies to at least one 

11 source. 

1 28 . The method of claim 27, further including the step of blocking 

2 the one or more data packet flow anomalies in close proximity to the at least one 

3 source. 
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1 29. The method of claim 28, wherein the step of collecting the 

2 plurality of data statistics includes: 

3 buffering the plurality of data statistics; 

4 processing the plurality of data statistics to generate at least one 

5 record; and 

6 receiving and profiling the at least one record to generate a 

7 predetermined threshold. 

1 30. The method of claim 29, wherein the step of collecting the 

2 plurality of data statistics further includes; 

3 detecting if attributes related to the at least one record exceed the 

4 predetermined threshold representing the one or more data packet flow anomalies. 

1 31. The method of claim 30, wherein the step of collecting the 

2 plurality of data statistics further includes: 

3 responding locally to the one or more data packet flow anomalies by generating the 

4 plurality of signals representing the one or more data packet flow anomalies. 

1 32. The method of claim 27, wherein the step of receiving and 

2 responding to the plurality of signals includes: 

3 correlating the plurality of signals representing the one or more data 

4 packet flow anomalies; and 

5 generating an anomaly table including the attributes related to the one 

6 or more data packet flow anomalies. 

1 33. The method of claim 32, wherein the step of receiving and 

2 responding to the plurality of signals further includes the step of communicating the 

3 anomaly table to a computing device for further processing. 
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